The z/OS® Profile
Management Tool allows you to specify System Authorization Facility
(SAF)
profile prefixes (previously referred to as z/OS security domains)
for your WebSphere® Application Server for z/OS configuration.
Note: - You
must set up a base Application Server using the WebSphere z/OS Profile
Management Tool or the zpmt command before using the Application
Server
to set up a WebSphere Application Server, Network Deployment node,
which is managed by the deployment manager
process (dmgr). It is critical that you LOAD saved environment
variables
from the base Application Server into the deployment manager node
that federates
the base node. Do this before performing security customization on
the deployment
manager node.
- If the APPL class is active and you have defined
a profile for WebSphere Application Server,
make sure that all z/OS identities using WebSphere Application Server services
have READ permission to the WebSphere Application Server APPL profile.
This
includes all WebSphere Application Server identities, WebSphere Application Server unauthenticated
identities, WebSphere Application Server administrative
identities, user IDs based on role-to-user mappings,
and all user identities for system users. If you have not specified
a SAF
profile prefix, the APPL profile used is CBS390 or the name used as
the SAF
profile prefix. If you have specified a SAF profile prefix, the APPL
profile
used. When adding an administrator to the administrative console using
local
operating system security, if the APPL class is activated, the administrator's
user ID must be authorized to the CBS390 (or the name specified as
the SAF
profile prefix) APPL class for RACF® as
well. If the administrator's user
ID is not authorized to CBS390 APPL, message BBOS0108E is issued,
indicating
that the credential-handling function (RunAsGetSpecCred) failed in
routine
because the user is not authorized.
- Once a profile is created,
it is possible to control checking the APPL
class profile from the administrative console by navigating to the
SAF authorization
options panel and by configuring the check box labeled "Use APPL profile
to
restrict access to the server".